Publish your Privacy Notices
When you collect personal data from an individual you must provide them with privacy information. You need to do this by providing a privacy notice.
See our privacy notice template at the bottom of this page.
The GDPR is more specific about the information you need to provide to people about what you do with their personal data.
You must actively provide this information to individuals in a way that is easy to access, read and understand.
You should review your current approach for providing privacy information to check it meets the standards of the GDPR.
What is the right to be informed and why is it important?
The right to be informed covers some of the key transparency requirements of the GDPR. It is about providing people with clear and concise information about what you do with their personal data.
Using an effective approach to provide people with privacy information can help you to comply with other aspects of the GDPR, foster trust with individuals and obtain more useful information from them.
What is a privacy notice?
A privacy notice is information presented to your members (young people and adults), at the point they are disclosing their personal data to you. This could be through an online or paper form.
The concept behind the notice is that it is:
- easily accessible
- written in clear and plain language
- free of charge.
You must actively provide privacy information to individuals. You can meet this requirement by putting the information on your website or information sheet, but you must make individuals aware of it and give them an easy way to access it. Your privacy notice must be given to individuals whenever you collect their personal data, both online and offline.
Communicate the processing of children’s personal data
Children have the same rights as adults so, when you collect children’s personal data, you must take particular care to ensure that the information you provide them with is appropriately written, using clear and plain language and presented in a way that appeals to a young audience.
If you are relying upon parental consent as your lawful bases for processing it will be good practice to provide separate privacy notices aimed at both the child and the responsible adult.
What you need to tell people in your privacy notice:
- the name and contact details of your Scout Group
- The name (this can be the role title), and contact details of your data protection lead
- The purposes of the processing
- The lawful basis for the processing
- The legitimate interests for the processing
- The details of transfers of the personal data to any third parties (eg OSM)
- The retention periods for the personal data
- The rights available to individuals in respect of the processing
- The right to withdraw consent
- The right to lodge a complaint with a supervisory authority
How should we draft our privacy information?
Your information audit or data mapping exercise can help you find out what personal data you hold and what you do with it.
You should think about the intended audience for your privacy information and put yourself in their position.
Tips on drafting your Privacy Notice
Keep it short
Use short sentences
use a friendy layout
adopt an honest tone
Consider the context in which you are collecting personal data. It is good practice to use the same medium you use to collect personal data to deliver privacy information.
How should we provide privacy information to individuals?
There are a number of techniques you can use to provide people with privacy information. You can use:
- A layered approach – short notices containing key privacy information that have additional layers of more detailed information.
- Dashboards – preference management tools that inform people how their data is used and allow them to manage what happens with it.
- Just-in-time notices – relevant and focused privacy information delivered at the time individual pieces of information about people are collected.
- Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing.
- Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures.
Taking a blended approach, using more than one of these techniques, is often the most effective way to provide privacy information.
Should we test, review and update our privacy information?
It is good practice to carry out user testing on your draft privacy notice to get feedback on how easy it is to access and understand.
After it is finalised, undertake regular reviews to check it remains accurate and up to date.
If you plan to use personal data for any new purposes, you must update your privacy information and proactively bring any changes to people’s attention.
When should we provide privacy information to individuals?
When you collect personal data from the individual it relates to, you must provide them with privacy information at the time you obtain their data.
When you obtain personal data from a source other than the individual it relates to, you need to provide the individual with privacy information:
- within a reasonable of period of obtaining the personal data and no later than one month;
- if the data is used to communicate with the individual, at the latest, when the first communication takes place
- if disclosure to someone else is envisaged, at the latest, when the data is disclosed.
You must actively provide privacy information to individuals. You can meet this requirement by putting the information on your website, but you must make individuals aware of it and give them an easy way to access it.
When collecting personal data from individuals, you do not need to provide them with any information that they already have.
When obtaining personal data from other sources, you do not need to provide individuals with privacy information if:
- the individual already has the information
- providing the information to the individual would be impossible
- providing the information to the individual would involve a disproportionate effort
- providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing
- you are required by law to obtain or disclose the personal data
- you are subject to an obligation of professional secrecy regulated by law that covers the personal